Sophos has announced patches for a critical-severity vulnerability in its firewall products that could allow remote attackers to execute arbitrary code without authentication.

Tracked as CVE-2024-12727 (CVSS score of 9.8), the issue is described as an SQL injection bug affecting the email protection feature. The flaw enables attackers to access the reporting database of the firewalls.

The bug can be exploited for remote code execution (RCE) “if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode”.

According to Sophos’ advisory, the flaw affects firewall product versions prior to 21.0 MR1 (21.0.1) and affects only 0.05% of devices.

Last week, the company announced hotfixes for versions 21 GA, 20 GA, 20 MR1, 20 MR2, 20 MR3, 19.5 MR3, 19.5 MR4, and 19.0 MR2 of its firewall products. The fixes were included in Sophos Firewall version 21.0 MR1 as well.

The updated iteration also addresses CVE-2024-12728 (CVSS score of 9.8), a weak credentials defect for which hotfixes were released in late November.

“The suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization remained active after the HA establishment process completed, potentially exposing a privileged system account on the Sophos Firewall if SSH is enabled, affecting approximately 0.5% of devices,” Sophos explains.

To mitigate the flaw, users should restrict SSH access to “only the dedicated HA link that is physically separate”, or reconfigure the HA “using a sufficiently long and random custom passphrase”. They should also disable WAN access via SSH.

Additionally, patches were released for CVE-2024-12729 (CVSS score of 8.8), a code injection vulnerability in the User Portal that could allow authenticated attackers to execute arbitrary code remotely.

To prevent the exploitation of this bug, users should disable WAN access to the User Portal and Webadmin, Sophos says.

“Sophos has not observed these vulnerabilities to be exploited at this time,” the company notes.

Threat actors exploiting Sophos firewall vulnerabilities, including zero-days, is not unheard of. The US recently charged and sanctioned a Chinese man accused of being involved in a sophisticated threat group’s attacks on Sophos firewalls.  

Related: CISA Releases Mobile Security Guidance After Chinese Telecom Hacking

Related: Sophos, ReversingLabs Release 20 Million Sample Dataset for Malware Research

Related: Malware Attack Takes ISS World’s Systems Offline